Cybersecurity awareness training. Just the name is enough to strike fear into the hearts of office workers worldwide.
For most people, it immediately conjures up images of the dark, stuffy classrooms they’re called to once each year to listen to a boring presentation about corporate security.
Why? Let’s be brutally honest. Pretty much everybody is convinced that SAT doesn’t work, they only do it to satisfy compliance frameworks.
But I have a theory. I believe SAT isn’t bad purely because it’s underfunded and widely discredited (though that certainly is true). I believe SAT is bad because it’s founded on a totally useless principle: increasing awareness.
Who Cares About Cybersecurity “Awareness”
Here’s a question for you: When was the last time you read an informative article and immediately made genuine, lasting changes to your daily behavior?
For the most part, it just doesn’t happen. People change their behaviors for all sorts of reasons, but it’s almost never because they have more information.
We all like to pretend that we’re highly rational creatures, who make educated and informed decisions… but it’s not true. For the most part, we fall back on ingrained behaviors, and it takes more than information to change those.
Now think back to the last time you really did make a major behavioral change. Perhaps you cleaned up your diet or started exercising twice a week. Maybe you started learning a new language or getting up 30 minutes earlier each morning.
If you’re like most people, making this lasting change was really, really hard. But if we were really the rational creatures we pretend to be, it should have been easy… you’d just decide to make a change and then act accordingly.
OK, you might be thinking, what’s your point?
Simply this: Increasing awareness is a terrible training goal because it will never have a significant or lasting impact on real-world cyber risk. Instead, what we really need to focus on are security behaviors.
But which behaviors, you ask? That’s actually pretty easy to answer.
Take a look back at every reported breach from the last ten years, and what do you notice? Almost every single one included a phishing component somewhere along the line. Why? Because tricking people is almost always easier than tricking computers.
But this leaves us with a problem. The prevailing wisdom in the cybersecurity industry is that people are a huge security flaw, and must be protected at all costs. At the same time, though, those same people are being heavily targeted, because they’re the easiest route into a target network.
And it gets worse. All those technical controls designed to mitigate the threat of malicious email? They’re great, but they aren’t perfect. Some phishing emails will always get through to your users’ inboxes.
Starting the see the problem, right? If we can’t completely protect our users from cyber attacks, we’re going to need to come up with a better approach to security training.
Practice, Practice, Practice
If you wanted to learn the guitar, what would you do? Buy a guitar, read a few books, and practice.
So how, then, should we approach training users to identify phishing emails? If it were left up to me, I’d provide them with some training, and then give them an opportunity to practice.
To that end, here’s my humble suggestion: Create your own realistic phishing simulations, and send them to your users on a regular basis.
Learn how to write a cybersecurity RFP, choose cybersecurity partners, and implement cybersecurity technology. Download this free report for all the details.The Technology Manager’s Guide: Tips for Buying Cybersecurity Technology
Naturally, you’ll need to provide some initial training, so your employees understand the purpose of the program and what’s expected of them. And yes, you will need to put in the time to develop high-quality training materials and build up a bank of real-world source material to inform your simulations.
But once all else is said and done, it’s time to start phishing your employees.
The Finer Points of Phishing Your Employees
As with any training program, the devil is in the detail. Get it right, and you’ll have a powerful training initiative in place that will consistently move the needle on cyber risk.
Here are some of the things you’ll need to keep in mind when developing your program:
Consistency is vital – While you will start to see improvements in employee security behaviors almost immediately, fundamentally this is a marathon, not a sprint. In my experience, monthly simulations strike a good balance between maximizing learning opportunities without interfering with your employees’ primary functions. Make sure you keep it up, though, because if you decide to shelve the program down the line, your employees will quickly return to their bad habits.
Make it easy to “win” – Ideally, you don’t just want employees to delete phishing emails, you want them to report any suspected malicious emails to your security experts. These can be used to identify and quarantine similar emails, tighten technical security controls such as spam filters, and even provide fuel for future simulations.
But to get all those benefits, you must make the reporting process as easy as it can be. I suggest adding a simple “report phishing email” button directly to employees’ email client.
Time your training – One of the biggest reasons why traditional SAT is unsuccessful is because it delivers training out of context. The absolute best time to train your employees is immediately after they “fail” one of your simulations. Simply direct any employee who fails a simulation to a multimedia training page which covers the specific type of phishing email they have just received. Then, a week or so later, retest those same users to solidify their learning.
Get the C-suite onside – This is vital. Before you kick off your program, make sure you have buy-in from above. Put together an air-tight business case, and make it clear that the program’s ROI will be routinely tracked and reported on. So long as you have executive support, and you can evidence the value of your program, retaining your funding should be a simple matter.
A Winning Combination
As you’ve probably gathered, the type of phishing awareness program I’ve described here isn’t a one-shot fix… it’s an ongoing process. Employee churn rates will ensure there is a perpetual need for basic training, and your more experienced employees will always need to be prepared to face the latest phishing threats.
But here’s the thing. No matter how good your employees get at identifying phishing emails, they’ll never be perfect. That’s why to really ensure the continued security of your organization, it’s vital that you combine high-quality phishing defense training with carefully chosen technical controls, and a skilled incident response resource.